Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.2
OpenClaw versions prior to 2026.2.26 allow attackers to write files outside the workspace
CVE-2026-32055
Summary
Old versions of OpenClaw can be tricked into saving files in the wrong place, outside of the workspace, if an attacker creates a special kind of shortcut. This could allow an attacker to write sensitive information in a location they shouldn't be able to. Update to OpenClaw 2026.2.26 or later to fix this issue.
Original title
OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in workspace boundary validation that allows attackers to write files outside the workspace through in-workspace symlinks...
Original description
OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in workspace boundary validation that allows attackers to write files outside the workspace through in-workspace symlinks pointing to non-existent out-of-root targets. The vulnerability exists because the boundary check improperly resolves aliases, permitting the first write operation to escape the workspace boundary and create files in arbitrary locations.
nvd CVSS3.1
7.6
nvd CVSS4.0
7.2
Vulnerability type
CWE-22
Path Traversal
- https://github.com/openclaw/openclaw/commit/1aef45bc060b28a0af45a67dc66acd36aef7...
- https://github.com/openclaw/openclaw/commit/46eba86b45e9db05b7b792e914c4fe0de1b4...
- https://github.com/openclaw/openclaw/security/advisories/GHSA-mgrq-9f93-wpp5
- https://www.vulncheck.com/advisories/openclaw-workspace-path-boundary-bypass-via...
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026